Surveys

With high profile breach revelations seemingly part of the weekly news cycle and hard-hitting legislation like General Data Protection Regulation (GDPR) applying pressure to organizations worldwide, security awareness and best practices are now wound irretrievably into everyday commercial reality.

This, of course, is not news to IT security professionals, but what do C-level executives, departmental heads and functional leads make of security and how do they perceive its practice and importance?

The CyberArk Global Advanced Threat Landscape Report 2018 found that many organizations don’t seem to take data breach notification seriously. Half (50%) of the 1,300 plus respondents say their organization did not fully inform customers of past personal data compromises.

The ramifications are particularly significant for organizations that do business in the EU, where the GDPR data privacy law mandates pressing new obligations for data transparency.

The regulation, which goes into effect May 25, 2018, requires that companies must promptly inform regulators of a breach within 72 hours of discovery. Failure to do so could result in penalties of up to $24 million or 4% of annual global revenue, whichever is higher.

Is this a real problem or is the risk of a breach a low-level concern? Security professionals that answered our survey were not confident that a serious cyber security breach could be prevented; nearly half (46%) said their organization would not be able to stop every attempt to break into the internal network.

Consumers are increasingly aware of data privacy risks and organizations need to protect their sensitive information, so it is more important than ever to properly safeguard personal data and to be prepared to act, quickly and transparently, should a compromise occur. This is not a problem limited to the security team; it is a problem for the entire business.

With serious potential consequences, it’s not surprising that business respondents in our report believe that the executive team should take a more proactive role in cyber security awareness. In fact, more than three-quarters (78%) of line-of-business respondents say security should be discussed more frequently at the board level.

In this regard, business leaders are right on the mark. Senior executives must take responsibility and accountability for cyber security initiatives to effectively close the awareness gap and strengthen security programs.

As DevOps becomes established across industries and across geographies, the way in which we deliver applications and services for businesses continues to evolve and accelerate. But, this agile development approach also creates serious security risks to privileged account credentials and secrets.

Security teams now have a potentially vastly expanded attack surface to contend with. Why? Because, as DevOps takes hold, more and more privileged account credentials and secrets are created and shared across interconnected access points. Compounding the risks are technologies including artificial intelligence, machine learning and automated IT, which not only expose new attack vectors, but also demand that businesses manage machine identities.

Another concern highlighted by this report is that developers and security teams alike don’t fully understand all of the places where privileged accounts and secrets exist in their IT environment. In our survey, 99% of respondents could not identify all of the places where privileged accounts or secrets reside. This crucial information is embedded in a very wide spectrum of entities scattered across IT and cloud environments—and you must be able to locate them before you can protect them.

Perhaps the biggest roadblock to securing DevOps is that security teams and app developers typically work in operational silos. In fact, only one-third (33%) of the IT professionals that we surveyed say the two teams and processes are well-integrated throughout the entire development process.

In addition to tight teamwork, you’ll need one dedicated technology solution and a single security stack that can seamlessly connect DevOps tools with enterprise security solutions. The combination of the two will enable you to build a scalable security platform that is constantly improved as new iterations of tools are developed, tested and deployed.

If there’s one takeaway from this year’s survey, it’s that many organizations don’t understand the means—or the mechanisms—to secure privileged account credentials and secrets. You won’t find a solution among traditional security programs, which haven’t kept pace with vulnerabilities created by new access points, machine identities and automated IT. To get it right, you’ll need to integrate security with DevOps and implement a unified security solution that applies common controls across disparate services and infrastructures.

If you’ve ever worked in an office, you know that you can’t access any data you want. Some files are locked away from the everyday employee: out of sight and out of mind. Whether it’s your boss’ bonus, private emails between colleagues, company financials, performance reviews or information about yet-to-be-launched products and services, access to information is limited.

A lot of people are quite comfortable with this. However, a new survey we carried out found that over half (52%) of UK office workers would access sensitive company data if they knew they wouldn’t get caught. In fact, far from being a moral issue, one in five (21%) cited a lack of technical skills as holding them back from attacking their employer.

So, what could tempt employees into accessing company information?

The survey revealed a mix of motives, from wanting to make sure they were being rewarded fairly, to having suspicions the company was unethical or corrupt, to straightforward curiosity and office gossip. What was clear, though, is that very unhappy employees are twice as likely to want to spy on company information than their happier peers.

While disgruntled or angry employees only account for 26% of insider attacks, according to Forrester[i], they are the source of some of the most costly and difficult attacks to detect. The 2016 Sage Group data breach is just one example of an employee using an internal login to steal company data, temporarily rocking the reputation of the company and, indeed, its share price.

How should employers stop malicious insiders in their tracks?

First, we should recognise that most respondents weren’t out to deliberately cause the company harm. The majority simply wanted to get their hands on information about themselves and engage in idle gossip; just 2% said they would be prepared to sell information to competitors for financial gain or to blackmail their boss.

The basic rule in defending against malicious insiders is to address the threat, not the individual. Privileged access – not people – is the true insider threat. The process of securing privileged accounts should be on-going with continuous evaluation and adjustments to improve security as the business and threat landscape changes.

To effectively protect against insider threats, organisations should minimise user privileges to reduce the attack surface, lock down privileged credentials, and control and monitor privileged accounts, which are consistently targeted by insider attackers.

The threat from outside…..

While this survey highlights the potential mischief that employees can get up to without proper access controls, it’s also an important reminder of the threat that cyber attackers posing as insiders could pose.

If more than half of everyday workers would be prepared to access sensitive data, it’s not hard to imagine the damage a cybercriminal with advanced skills and malicious intentions could cause. They have no loyalty to the company and are more likely to be driven by financial or political motives over innocent curiosity.

Security teams have long known that one of the most effective ways for attackers to access sensitive data is to masquerade as a legitimate insider – using existing privileged credentials to achieve broad, unfettered access to a company’s most valuable assets. With cyber skills advancing all the time, and cybercriminals hiding behind valid credentials to avoid being caught, companies must be more alert than ever to stop unwanted insiders in their tracks and protect their most valuable information.

[i] “Understand The State Of Data Security And Privacy: 2015 To 2016”, Forrester Research, Inc., January 8, 2016

While the vast majority of respondents (82 percent) believe the IT security industry is making progress against cyber attacks, those gains are undercut by egregious security practices in critical areas such as privileged account security, third-party vendor access and cloud. With that theme in mind, our take on some of the key findings are below. We encourage you to read the full, free report for your own assessment of the findings.

Bad Security Habits Persist, Despite Rising Awareness. Seventy-nine percent of respondents state their organization has learned lessons from major cyber attacks. Yet many fail to enforce best practices or adequately prioritize security initiatives in the right areas to effectively protect against advanced threats—underscoring a wide gap between “awareness” and “preparedness.” For example, more than half of the respondents state they have evolved or changed processes for managing privileged accounts, yet 40 percent of organizations still store privileged and administrative passwords in a Word document or spreadsheet and 28 percent use a shared server or USB stick

The Risks of Overconfidence. Today, three out of four IT decision makers believe they can prevent attackers from breaking into their internal network—up from 44 percent in 2015. However, this [over]confidence is counter to the number of increasingly aggressive and damaging attacks reported. In fact, 46 percent of respondents believe their organization has been the victim of a ransomware attack in the last two years.

Future Risks and Prioritization Challenges. As cyber attacks continue on trusted institutions such as government, utilities and financial systems, when asked about emerging risks, respondents note they are most concerned with distributed denial-of-service (DDoS) attacks, phishing, ransomware, privileged account exploitation and perimeter breaches.

With threats against critical infrastructure, such as the much-publicized power outage in the Ukraine, no longer science fiction, respondents share their opinion on which scenarios present the most immediate and potentially catastrophic cyber security threat in general. The majority (58 percent) feel an attack on financial systems, including disruption of global stock markets, is the most threatening.

The findings of this year’s Global Advanced Threat Landscape Survey of 750 global IT & IT security decision makers demonstrate that cyber security awareness doesn’t always equate to being secure. Too often, organizations undermine their own efforts by failing to enforce well-known security best practices.

The majority of today’s breaches are a result of poor security hygiene. Organizations can’t lose sight of the broader security picture while trying to secure against the threat du jour. This means consistently executing on the fundamentals, from keeping security patches and software versions up-to-date, to implementing and enforcing least privilege access policies and using strong authentication as needed, and listening to auditors and consultants.

Today we unveiled the findings from our 2015 Global Advanced Threat Landscape Survey. Now in its ninth year, this report pinpoints cyber security trends and emerging risks based upon a compilation of interviews with 673 IT security and C-level executives from organizations around the globe.

The primary takeaway is clear: Cyber attacks that exploit privileged and administrative accounts – the credentials used to manage and run an organization’s IT infrastructure – represent the greatest enterprise security risks today.

While we encourage you to read the full, free report, here’s our take on some of the key findings:

More than a Data Breach – Complete Network Takeover
The majority of respondents (61 percent) cited privileged account takeover as the most difficult stage of a cyber attack to mitigate, up from 44 percent in last year’s study. Awareness of this security risk has increased and for good reason. High profile attacks on Sony Pictures, the U.S. Office of Personnel Management (OPM) and others illustrate how, with privileged credentials in-hand, attackers can exfiltrate sensitive data or conduct a hostile takeover of network infrastructure. This new reality highlights the threat of privileged account hijacking within the enterprise, yet many organizations still struggle to identify and locate privileged accounts across their networks. If they can’t find them, how can they protect them?

Corporate Confidence and a False Sense of Data Security
Despite mounting evidence to the contrary, 44 percent of respondents continue to believe they can keep motivated attackers off the network or reasonably discover them once they’ve infiltrated an organization. This confidence is misplaced. Today, it is no longer acceptable for organizations’ security programs to presume they can keep attackers off their network. They must adopt the mindset that the attacker has already made it inside.

Organizations Fail to Recognize Emerging Threats Inside the Network
When asked to rank the type of attacks they were most concerned about, many respondents pointed to perimeter attacks, such as phishing (70 percent), as their primary concern. There was less awareness about potentially devastating compromises that happen within the network, such as Pass-the-Hash and Kerberos attacks, including Golden Ticket that can enable complete control over a target’s network by taking over the domain controller. It’s time for business and IT leaders to turn their focus to what can be done to stop attackers once they are inside the network and recognize that phishing and other unsophisticated means of attack will happen, and they will be successful.

Today’s most damaging attacks occur when attackers steal privileged and administrative credentials and gain the same level of access as the internal people managing the systems. This puts an organization at the mercy of an attacker’s motivation, be it financial, espionage or causing harm to the business. With ongoing education and increasing awareness about the devastating fallout of privileged account takeover, there is an accelerated shift in the industry’s security mentality.